Skip to main content
European Insurance and Occupational Pensions Authority
General publications

Digital Operational Resilience: a challenge for the supervisory community

Details

Publication date
7 September 2022

Description

Contribution to the Eurofi Magazine - September 2022

Digital operational resilience refers to the ability of a financial entity to build, assure and review its operational integrity and reliability.

The financial sector has always relied heavily on information and communication technology (ICT) and this reliance grew during the COVID-19 pandemic as customers increasingly used digital services. The dependency on ICT makes financial entities particularly vulnerable to cyber-attacks or incidents, a risk that has become more apparent in the light of Russia’s invasion of Ukraine.

The consequences of an attack or disruption of an important cross-border financial service can have far-reaching effects on other companies, sub-sectors, or even the rest of the economy, underlining the importance of digital operational resilience of the financial sector. This makes the policy of European Union’s Digital Operational Resilience Act, or DORA, even more relevant.

The current regulatory frameworks cover the ICT risk management and ICT security within the system of governance rules, which have been further detailed by the European Supervisory Authorities (ESAs) and national supervisory authorities into guidelines. For example, the European Insurance and Occupational Pensions Authority (EIOPA) published in 2020 its guidelines on ICT security and governance and outsourcing to cloud service providers.

As such the existing EU legal framework for ICT risks and operational resilience in the financial sector is fragmented, with differences by type of financial entities and by Member State.

For example, although the European Central Bank’s work in developing TIBER EU – the European framework for threat intelligence-based ethical red-teaming – has provided some convergence, almost every Member State has its own rules (for example, for carrying out resilience tests) and supervisory approaches (for example, for ICT third-party dependencies) leading to a lack of level playing field, challenges for cross border operating institution and also insufficient consideration of certain ICT risks.

Cross-border financial entities are under increased administrative and financial burden as a result of duplicative requirements and inconsistent provisions, such as the Directive on Security of Networks and Information Systems (NIS Directive) – which does not cover the insurance sector at European level, but has been included in the scope by some Member States – EU legislation on financial services, and national regulations (for example, for reporting incidents).

So the first thing that DORA will bring is harmonisation of the rules relating to operational resilience for the financial sector. As DORA will be lex specialis to the NIS Directive, DORA will cover the following important pillars: ICT risk management; ICT incident reporting; the tests of the operational resilience of ICT systems; and the management of ICT third party risks including an oversight framework of the Pan-European critical ICT service providers (CTPPs).

DORA also will enhance the cooperation among competent authorities including from different sectors (NIS authorities) and jurisdictions in relation to ICT and cyber risk management. It has already enabled the issuance of a European Systemic Risk Board recommendation to the ESAs to set up a pan-European systemic cyber incident coordination framework for relevant authorities.

Finally, DORA will provide for a framework on the basis of which oversight can be implemented on CTPPs, thereby no longer addressing the operational risks via the outsourcing arrangements of the financial institution, but also directly at the CTPP.

There will of course be challenges for supervisors. First there will be the need for the overall integration of DORA supervision into broader supervisory processes. In addition, the speed of technological change means that supervisors will need to keep pace not only with innovation in the market, but also with the skills required to supervise innovation. This in itself could be challenging given the high competition in the market.

Nonetheless, EIOPA is up to the challenge and will work closely with the other ESAs to contribute to the safety and security of Europe’s financial systems.

In conclusion, EIOPA considers the arrival of DORA to be both timely and needed. EIOPA looks forward to contributing to fostering an operationally resilient industry, as part of its work to support the supervisory community and the industry to mitigate the risks and seize the opportunities of the digital transformation – including through the implementation of the DORA.

Thanks to Andrea Vetrone for his contribution to this article.